Debian Bug report logs -
#1008010
frr: CVE-2022-26125 CVE-2022-26126 CVE-2022-26127 CVE-2022-26128 CVE-2022-26129
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, David Lamparter <equinox-debian@diac24.net>:
Bug#1008010; Package src:frr.
(Sun, 20 Mar 2022 14:42:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, David Lamparter <equinox-debian@diac24.net>.
(Sun, 20 Mar 2022 14:42:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: frr
Version: 8.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for frr.
CVE-2022-26125[0]:
| Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due
| to wrong checks on the input packet length in isisd/isis_tlvs.c.
CVE-2022-26126[1]:
| Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due
| to the use of strdup with a non-zero-terminated binary string in
| isis_nb_notifications.c.
CVE-2022-26127[2]:
| A buffer overflow vulnerability exists in FRRouting through 8.1.0 due
| to missing a check on the input packet length in the
| babel_packet_examin function in babeld/message.c.
CVE-2022-26128[3]:
| A buffer overflow vulnerability exists in FRRouting through 8.1.0 due
| to a wrong check on the input packet length in the babel_packet_examin
| function in babeld/message.c.
CVE-2022-26129[4]:
| Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due
| to wrong checks on the subtlv length in the functions,
| parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv in
| babeld/message.c.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-26125
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26125
[1] https://security-tracker.debian.org/tracker/CVE-2022-26126
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26126
[2] https://security-tracker.debian.org/tracker/CVE-2022-26127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26127
[3] https://security-tracker.debian.org/tracker/CVE-2022-26128
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26128
[4] https://security-tracker.debian.org/tracker/CVE-2022-26129
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26129
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Mar 21 13:08:37 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon